AWS Security ChangesHomeSearch

AWS fedramp documentation change

Service: fedramp · 2026-02-16 · Documentation high

File: fedramp/latest/userguide/amazon-aurora-mysql.md

Summary

Expanded IAM policy documentation with role-based guides, testing procedures, and policy details

Security assessment

Significantly enhances least-privilege IAM documentation but doesn't fix vulnerabilities. Adds security feature documentation including MFA requirements, permission boundaries, and testing procedures to prevent misconfiguration.

Diff

diff --git a/fedramp/latest/userguide/amazon-aurora-mysql.md b/fedramp/latest/userguide/amazon-aurora-mysql.md
index 93e5dd421..62356a587 100644
--- a//fedramp/latest/userguide/amazon-aurora-mysql.md
+++ b//fedramp/latest/userguide/amazon-aurora-mysql.md
@@ -448 +448,47 @@ Sample IAM policies for least privilege access to Amazon Aurora MySQL
-**Read Only Policy:**
+### Policy Selection Guide
+
+Choose the appropriate policy based on your role:
+
+Policy | Use Case | MFA Required  
+---|---|---  
+Read Only |  Auditors, compliance reviewers, monitoring dashboards |  No  
+Operator |  Day-to-day operators managing resources |  Yes  
+Administrator |  Service administrators with full management access |  Yes (1-hour max)  
+  
+### Read Only Policy
+
+**Use this for:** Auditors, compliance reviewers, monitoring dashboards
+
+**Grants access to:**
+
+  * View resource configurations
+
+  * List resources
+
+  * Describe resource details
+
+
+
+
+**Does NOT grant:**
+
+  * Create or modify resources
+
+  * Delete resources
+
+  * Change configurations
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify read access works
+    aws rds describe-db-instances
+    aws rds describe-db-clusters
+    
+    # Verify write access is denied (should fail)
+    aws rds modify-db-instance --db-instance-identifier test-db
+
+**Policy JSON:**
@@ -466 +512,36 @@ Sample IAM policies for least privilege access to Amazon Aurora MySQL
-**Operator Policy:**
+### Operator Policy
+
+**Use this for:** Day-to-day operators managing resources
+
+**Grants access to:**
+
+  * All read-only permissions
+
+  * Create and modify resources
+
+  * Perform operational tasks
+
+
+
+
+**Does NOT grant:**
+
+  * Delete critical resources
+
+  * Change security configurations
+
+  * Manage access policies
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify operator access works (requires MFA)
+    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --apply-immediately
+    
+    # Verify admin access is denied (should fail)
+    aws rds delete-db-cluster --db-cluster-identifier <cluster-id>
+
+**Policy JSON:**
@@ -492 +573,32 @@ Sample IAM policies for least privilege access to Amazon Aurora MySQL
-**Administrator Policy:**
+### Administrator Policy
+
+**Use this for:** Service administrators with full management access
+
+**Grants access to:**
+
+  * All operator permissions
+
+  * Delete resources
+
+  * Manage access policies
+
+  * Configure security settings
+
+
+
+
+**Requires:**
+
+  * MFA with maximum 1-hour session duration
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify full admin access works (requires MFA)
+    aws rds create-db-cluster --db-cluster-identifier new-cluster --engine aurora-mysql
+    aws rds delete-db-cluster --db-cluster-identifier old-cluster --skip-final-snapshot
+
+**Policy JSON:**